21CFR11 Pro Tips

Hello good people of the world! A short post today, on the FDA’s 21CFR11, also known as “Part 11.” Part 11 covers electronic records and electronic signatures, and is short enough to read in a single sitting. You can see the whole thing here. 21CFR11 was first introduced in 1997, as part of an understanding that traditionally paper-based records (e.g. batch records, maintenance records, etc.) were going to go electronic with the spreading of computer-based technology.

The primary purpose of 21CFR11 is to ensure electronic systems have controls in place such that electronic data and signature integrity is maintained to the same level as in traditional paper-based systems. The agency (FDA) had decades of experience with the mostly industry-defined good documentation practices that ensured paper-based systems’ data maintained integrity and had traceability (e.g. single line-out for errors, initial/date all data entries, etc.) and realized without requisite controls, electronic systems could have none of that. Think about an out-of-the-box Excel spreadsheet: if you make a change to data in a cell, there is no way to know what the original value was, who made the change, and when, without additional controls.

That is what Part 11 addresses. The two major outcomes of the regulation are: audit trail, which requires that with any change, who made the change, when the change was made, and the old and new values are recorded in a log that cannot be edited, exists, and electronic signatures, which requires that any “signature” meant to take the place of a handwritten signature must be unique and traceable via a password.

Part 11 initially created a lot of confusion, some of which continues to this day. But keep in mind 21CFR11 applies to electronic records and electronic signatures. If you’re not storing any data or capturing any signatures, 21CFR11 does not apply. Take, for instance, those Excel spreadsheets I mentioned earlier: they’re fine without an audit trail as long as you’re not using them to store data (e.g. you’re using them transiently to perform calculations). But, just as critical, just because 21CFR11 does not apply to your computerized system does not mean you don’t need to control or qualify it. Any GxP system should be controlled and qualified, regardless of how it’s used.

What tips do you have on understanding and complying with 21CFR11? Leave your comment below!

Like this MWV (Mike Williamson Validation) post? Be sure to like, share, and subscribe!